The purpose of this section is to provide a checklist designed to assess the physical, operational, and administrative security posture of a Mission. Individual line items that are checked "No" should be documented in the comments section.
Risk Assessment Team Members
Physical Security | ||
| Fire | YES | NO |
| Smoke & heat detectors | ||
| Fire containment for important rooms (machine rooms) | ||
| Fire extinguishers/systems | ||
| No smoking policy near computer equipment | ||
| Fireproof containers for computer media | ||
Lightning | ||
| Proper grounding and protection | ||
Environment | ||
| Temp control (AC) | ||
| Humidity control | ||
| Separate AC for computer rooms | ||
| Alarms on temp/humidity control equip. | ||
| Air filters | ||
| Sensitive equipment placed away from vents | ||
Electricity | ||
| Clean electricity supply | ||
| Uninterruptable Power Supply (delay time, usage time) | ||
| Anti-static carpet | ||
| Emergency Lighting | ||
Intruder | ||
| General security of computer rooms | ||
| Dropped ceilings - computer room walls go all the way to the real ceiling | ||
| Raised floors | ||
| Air ducts inaccessible | ||
| Windows locked/barred | ||
| Telephone & network connections and routers physically protected | ||
| Firewall functioning | ||
| Dial-back modems for RAS | ||
| Access to phone switch room restricted | ||
Intruder Alerts | ||
| Guards at critical entrances (main gate, ALL building entrances) | ||
| After-Hours policy set and enforced | ||
| Authentication of employees (ID badge check) | ||
| Burglar alarms set in accordance with After-Hours policy | ||
| Surveillance equipment | ||
| Properly trained escorts for visitors | ||
Personnel Security | ||
| Vendor agreements to check their employees | ||
| Public security policy (in writing easily available) | ||
| Train employees to watch for suspicious activity | ||
| Train supervisors to watch for possible employee problems | ||
| Established security audit procedures | ||
| Precautions against fired/leaving employees | ||
| Explicit restrictions on resource usage | ||
| Visitors log maintained for all personnel not authorized to be in the computer Room | ||
| Access list and POC posted at the entrance to the central computer room | ||
Technical Security | ||
| One-time password or challenge response | ||
| Tiger team password cracking | ||
| Encryption of channels | ||
| Shielding (electromagnetic interference) | ||
| Firewalls | ||
| Conduit protection of network wiring | ||
| System audit trail reviewed for anomalies | ||
Administrative Security | ||
| US citizens with SECRET clearance appointed ISSO and alternate | ||
| List of all equipment and software maintained and up-to-date | ||
| User access privileges reviewed within the last 12 months | ||
| All dial-in accounts and network connections authorized and accounted for | ||
| Log maintained of requested/performed maintenance | ||
| Up-to-date contingency plans in place | ||
| Contingency plan successfully practiced or implemented within the last 12 Months | ||
| Up-to-date disaster recovery and emergency action plans in place | ||
| Disaster recovery and emergency action plan successfully practiced or implemented within the last 12 months | ||
| All system users have received security awareness training within the last 12 Months and have signed a USAID AIS Access Agreement form | ||
Operations Security | ||
| Random security checks | ||
| Identify critical/targeted data | ||
| Established procedures for dealing with computer crime | ||
| Established response team | ||
| Practice drills for response team | ||
| Policy for handling sensitive/confidential/trade-secret data | ||
| Spot checks of trash for improperly disposed SBU | ||
| Warn employees about industrial espionage (travel abroad) | ||